Over 50 apps issued through Google Play bared millions of Android users to unwanted adware, researchers said.
Android XavirAd, as researchers have called it, is an adware library that displays ads to affected users, and also collects personal information and sends it to a remote server, said researchers at Sophos.
Detected as Andr/Infostl-BK, the information-stealing component may have compromised up to 55 million users, the researchers said.
To explain how the malicious code works, researchers viewed an application called Add Text on A Photo. The app displays full screen advertisements at regular intervals, even when it isn’t being used.
When launched, the XavirAd library contacts a remote server to get configuration code. The server sends it the advertisement settings, including full screen ad intervals, and the library saves the information in shared preferences. The domain used for this is api-restlet.com, which ended up registered a year and a half ago. It has its origins in Vietnam, researchers said.
The program then downloads another .dex file from cloud.api-restlet.com, meant to collect various information from the user’s phone: The email address for the Google account, list of installed apps, IMEI identifier and android_id, screen resolution, SIM operator, app installation source, and device manufacturer, model, brand, and OS version. The collected data is encrypted and sent to a web address.
Sophos’ researchers also discovered that the XavirAd library tries to hide itself from security inspection. It uses encrypted strings, the class constructor contains a different decryption routine for each class, and keys are different in each class, although the algorithm remains the same.